Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

I Think I’ve Been “Phished”, What Should I Do?

//
I think I may have been “phished” with the “request to confirm” scam email. How can I tell? And if I have been “phished” what do I do now?

First, don’t feel too bad — phishing attempts are getting very, very sophisticated. I haven’t fallen for one yet, but I’ve come darned close a time or two.

But be prepared for a painful recovery if the phishing was successful.

How to tell if you’ve been phished depends on where in the process you are: looking at an email, after clicking a link in the email or other source, or some time thereafter.

What to do after that depends on what information you gave in response to the phishing attempt.

Become a Patron of Ask Leo! and go ad-free!

Prevention

In my article, Phishing: How to Know it When You See It, I discuss how to identify potential phishing attempts.

The rule of thumb is to never click on a link in email unless you’re positive it’s safe. Go to the site yourself (by typing the URL into your browser or using a bookmark you’ve saved previously) and log into your account by hand.

If you want more clues as to whether or not an email is a phishing attempt, look carefully at the link you’ve been sent. For example, this link:

https://ebay.com

does not take you to eBay. You can tell before clicking on it, since most email programs and web browsers allow you to hover your mouse pointer over the link and show you, either as a tool tip or in the status bar, where the link really goes.

Misleading Link

When you look at where the link really goes, ensure that:

  • The destination matches what you expect. Exactly. If the link claims to be eBay, it should be for eBay.com. Targets like http://ebay.com.hacker.com, http://ebay.signin.services.ru, http://www.ebay.cc (note that it’s not “.com”) are all attempts to deceive you.
  • The destination is a name, not a number. If the destination of the link takes you to a link that has numbers, such as http://72.3.133.152, it’s probably not valid, and definitely not worth the risk.
  • The destination is secure. That means it should begin with https:. If the target destination begins with the regular, unsecured, http: (without the “s”), chances are it’s not legitimate.

If you’re at all uncertain, skip the link and just go to the service yourself, manually.

Detection

OK, you clicked. By mistake, but you clicked. And it looks totally legitimate. How can you be sure? There are several tests:

  • All the tests for the link before you clicked it now apply to whatever you see in the address bar as the URL of the page you landed on. If it’s not what you expect — if it’s a number, if it’s not https secure —  chances are it’s bogus. If you click on my example eBay link above, this is what you’ll see in your address bar:Buy Leo A Latte
    Needless to say, that’s not eBay. Don’t continue. (Unless you want to buy me coffee, of course. 🙂 ).
  • If your password manager (such as LastPass) usually signs you in automatically for this service and it fails to do so this time, then it didn’t recognize the URL as the legitimate URL. Don’t proceed.
  • If the site asks you to “reconfirm” by providing sensitive information like your credit card number, don’t do it. It’s likely bogus. Merchants do not need to update your entire credit card number if they keep it on file and all they need is a new expiration date. Banks never need this information, as they’re the ones that have it to begin with!
  • If, after you “log in”, you’re only presented with the information you just provided, it’s very suspicious. Legitimate services typically recognize you and display more details that they already have. If the site doesn’t do something like this, then it’s possible they’re simply trying to collect your information.

If, after you do sign in or provide your information, you get an error message, or a “service temporarily down” message, or nothing at all … it’s likely you’ve been “phished”.

Recovery

You think you’ve been phished. Now what?

As recommended by the Federal Trade Commission, you may need to do several things.

If you provided credit card or other account information to the phisher, you probably need to close those accounts. You’ll at least want to contact the appropriate customer service department for each and tell them what happened.

You’ll need to contact the consumer credit reporting agencies. This is particularly important if you live in the U.S. and gave up your social security number. This is one way identity theft happens: the successful phishers can open accounts in your name that you know nothing about.

You may want to file a report with the police. This can be an important piece of data to prove you were the victim of identity theft.

The lesson here?

I’m sure you’ve heard stories of how recovering from identity theft can be difficult, painful, and time-consuming.

The real lesson here, the one thing to walk away with, is simply this: prevention is a much easier than recovery. Pay attention, remain skeptical, and avoid the problem in the first place, and you’ll be much, much safer.

There’s an old adage about telephone marketers: never give any information to someone if they called you. Only give information to someone you called. The idea is that you know who you called, and can verify who you’re calling.

The same is true for the internet: never give information to someone who independently asks for it. Only give information in transactions you initiate with sites you know.

When you go to eBay.com and log in to your own account, you know it’s really eBay and that it is your account. But if you get email from someone claiming to be eBay, it simply might not be them.

Podcast audio

Play

Video Narration

14 comments on “I Think I’ve Been “Phished”, What Should I Do?”

  1. You should also go the site in question anyway. Ebay, paypal and most banks will have a link on thier index page telling you how they will contact you and what they will ask.

  2. A few things also to take into account…

    With JavaScript enabled, the phisher can cause something other than the actual URL to appear when you hover the mouse over the link. (Some browsers will always show the true URL, perhaps in addition to the “status” message supplied by the JavaScript code.) However, most browsers allow you to see the actual destination by right-clicking the link and selecting something like “properties” from the popup menu.

    Another trick used by phishers is to redirect you to the real website, so that the URL in the address bar really is the known website, but only after popping up a “login” window on top of the main browser window. While the browser really is at the true website, the popup window still is from the phisher’s site. (Someone I know ran into this last year. While he knew enough to know this was a phish, he was at a loss to see how it worked, as the browser’s address bar showed the real site’s URL.) Most decent popup blockers probably prevent this, however.

  3. Thanks for the advice Leo, this has to be one of the most obnoxious issues out there today and the biggest way to fight back is to simply educate people. There are so many articles/blogs out there that tell about all of the issues regarding phishing, but this is one of the only that actually offers help to those affected.

    Educating people is our best option these days to potentially fix our phishing problems.

  4. I clicked a link to a bank knowing it was a bogus website (curiosity got me…just wanted to see how smooth the pranksters might really might be), but I didn’t enter anything. I did notice a little pop-up that said something like “click sensor”, but it disappeared too fast to check it out further. I closed all apps and restarted my computer after a separate ad/pop-up froze up and couldn’t be closed. Should I be worried that some kind of spyware has been installed? If so, how do I get rid of it? BTW- the computer is hooked up to a server with McAfee virus protection, has a firewall, etc. Thanks for any feedback. 🙂

  5. I got a pop up and it said windows internet explorer…Your computer may have been hit with a virus click here if you want to check…so I did then it said my computer was hit with a virus and to click here if I want windows to fix it was I phished? it looked legit, but my husband said windows internet explorer won’t send you anything like that what do I do or have I done?

    Your husband is right. You need to immediately run anti-virus and anti-spyware scans using legitimate tools that you choose, rather than those that might appear in some random popup.

    – Leo
    21-Nov-2008
  6. What if all I gave was an email address and password before wising up to the scam?

    “All” you gave was email and password? That’s enough.

    Leo
    26-Mar-2010

  7. I received an e-mail asking to confirm my password to my sons google account. I do not know why I opened the e-mail and clicked on the link and procedded to enter his password(note sure if it was the right e-mail or not); anyway I am not sure if I need to do anything or not.

  8. I was phished through a facebook friend finder. I managed to recover all my accounts (nothing monetary thank the gods, I use them completely separate) But I did manage to find the little [edited] forwarding address. Where can I post or submit that to do him the most harm?

    The police, I would expect. Any other form just turns into revenge which can, and often does, backfire.

    Leo
    25-Jun-2010

  9. ok i stupidly fell for this i think i gave all info on my game account for SWTOR but reseted all even questions in like 3 mins after falling for it and giving all info now will i still get hacked if i changed everything on account even security questions or should i just leave that account i was sent here{URL removed} and i being new to this fell right for it if i changed all will i still be hacked plss answer fast 🙁

  10. I was trying to buy something online, when i went to check out i filled in the information page giving name, address, email address and had to set a password then clicked proceed and internet explorer could not open the next page, i then checked my emails the company had sent me an email but when i opened it i received a warning that it may not be genuine and i was asked if i would like to report an attempt at phishing (which i did) so i dont know if i have been phished or not? so any help or advise would be great?

  11. @Jimmy,
    What you expect, when you buy something online, is to immediately receive an email, sometimes even several emails. They will be sent to help you verify your account, and to confirm your purchase. So receiving an email like that, (even though IE crashed and didn’t let you finish) is not suspicious. It seems unlikely that it was phishing.

    Your best bet is to contact customer support at the site and let them know what happened.

  12. OK I was stupid.
    I entered my Gmail credential into a fake page.
    I recognize the Phishing after 24 hours and changed my Gmail password anything else that I should do?
    I was surprised to find nothing changed including recovery emails or forwarding, everything looks normal.
    I’m worried that in the 24 hours they might have recovered other informations and they are planning to do something else with it.
    I’d like to know more about this guys. Can I tell more from the email header?
    Thanks

Comments are closed.